CVE-2024-7340
published 2024-07-31CVE-2024-7340: The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak…
PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.97%
91.1th percentile
The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| weave | weave | >= 0 < 0.50.8 | 0.50.8 |
Detection & IOCsextracted from sources · hover to see the quote
path/__weave/file/tmp/weave/fs/
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS W&B Weave Server Arbitrary File Leak (CVE-2024-7340)"; flow:established,to_server; http.request_line; content:"GET /__weave/file/tmp/weave/fs/"; fast_pattern; startswith; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-7340.yaml; reference:cve,2024-7340; classtype:web-application-attack; sid:2056182; rev:1; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_09_25, cve CVE_2024_7340, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_09_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →HTTP GET requests to the path `/__weave/file/tmp/weave/fs/` followed by path traversal sequences (`../` or URL-encoded equivalents) are indicative of exploitation attempts. ↗
- →Successful exploitation returns HTTP 200 with Content-Type `application/octet-stream` and a `filename=passwd` header, alongside `/etc/passwd` content matching `root:.*:0:0:` in the response body.
- →Detect path traversal via both literal dot-slash sequences and URL-encoded variants: `%2e` for `.`, `%2f` or `%5c` for `/` or `\`, appearing two or more times consecutively in the request URI after `/__weave/file/tmp/weave/fs/`.
- →The vulnerability is exploitable by authenticated low-privileged users; monitor for low-privilege accounts making requests to the `/__weave/file/` API endpoint.
- ·The Snort/Suricata rule (sid:2056182) requires TLS decryption (`tls_state TLSDecrypt`, `deployment SSLDecrypt`) to detect exploitation over HTTPS; without SSL inspection, encrypted traffic will not be inspected.
- ·The nuclei template targets a single request and matches on a specific traversal payload (`../../../etc/passwd`); real-world attackers may use different traversal depths or target other sensitive files beyond `/etc/passwd`.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Weave server API vulnerable to arbitrary file leak
ghsa·2024-07-31
CVE-2024-7340 [HIGH] CWE-20 Weave server API vulnerable to arbitrary file leak
Weave server API vulnerable to arbitrary file leak
The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin.
OSV
Weave server API vulnerable to arbitrary file leak
osv·2024-07-31
CVE-2024-7340 [HIGH] Weave server API vulnerable to arbitrary file leak
Weave server API vulnerable to arbitrary file leak
The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin.
Suricata
ET WEB_SPECIFIC_APPS W&B Weave Server Arbitrary File Leak (CVE-2024-7340)
suricata·2024-09-25·CVSS 8.8
CVE-2024-7340 [HIGH] ET WEB_SPECIFIC_APPS W&B Weave Server Arbitrary File Leak (CVE-2024-7340)
ET WEB_SPECIFIC_APPS W&B Weave Server Arbitrary File Leak (CVE-2024-7340)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS W&B Weave Server Arbitrary File Leak (CVE-2024-7340)"; flow:established,to_server; http.request_line; content:"GET /__weave/file/tmp/weave/fs/"; fast_pattern; startswith; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-7340.yaml; reference:cve,2024-7340; classtype:web-application-attack; sid:2056182; rev:1; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_09_25, cve CVE_2024_7340, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signatu
Nuclei
W&B Weave Server - Remote Arbitrary File Leak
nuclei·CVSS 8.8
CVE-2024-7340 [HIGH] W&B Weave Server - Remote Arbitrary File Leak
W&B Weave Server - Remote Arbitrary File Leak
The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin.
Template:
id: CVE-2024-7340
info:
name: W&B Weave Server - Remote Arbitrary File Leak
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin.
impact: |
Authentica
2024-07-31
Published